Content uploaded by Pan Li
Author content
All content in this area was uploaded by Pan Li on Dec 09, 2018
Content may be subject to copyright.
Chronic Poisoning Against Machine Learning
Based IDSs Using Edge Pattern Detection
Pan Li, Qiang Liu, Wentao Zhao, Dongxu Wang, Siqi Wang
College of Computer
National University of Defense Technology
Changsha, Hunan, China 410073
Email: {lipan16, qiangliu06, wtzhao, wangdongxu15}@nudt.edu.cn, wangsiqi10c@gmail.com
Abstract—In big data era, machine learning is one of funda-
mental techniques in intrusion detection systems (IDSs). Poison-
ing attack, which is one of the most recognized security threats
towards machine learning-based IDSs, injects some adversarial
samples into the training phase, inducing data drifting of training
data and a significant performance decrease of target IDSs
over testing data. In this paper, we adopt the Edge Pattern
Detection (EPD) algorithm to design a novel poisoning method
that attack against several machine learning algorithms used
in IDSs. Specifically, we propose a boundary pattern detection
algorithm to efficiently generate the points that are near to
abnormal data but considered to be normal ones by current
classifiers. Then, we introduce a Batch-EPD Boundary Pattern
(BEBP) detection algorithm to overcome the limitation of the
number of edge pattern points generated by EPD and to obtain
more useful adversarial samples. Based on BEBP, we further
present a moderate but effective poisoning method called chronic
poisoning attack. Extensive experiments on synthetic and three
real network data sets demonstrate the performance of the
proposed poisoning method against several well-known machine
learning algorithms and a practical intrusion detection method
named FMIFS-LSSVM-IDS.
Index Terms—Chronic poisoning, intrusion detection system,
machine learning, data drifting
I. INTRODUCTION
Currently, intelligent intrusion detection systems (IDSs)
generally adopt various machine learning techniques to make
decisions regarding the presence of security threats using
high performance classifiers, which are selected via learning
models and algorithms like support vector machine (SVM),
Native Bayes (NB), logistic regression (LR), decision tree and
artificial neural networks [1] [2]. For example, the authors
in [1] proposed an efficient intrusion detection method by
combining flexible mutual information based feature selection
(FMIFS) and least-square SVM (LSSVM), achieving the state-
of-the-art classification performance on widely recognized
KDDCUP99, NSL-KDD and Kyoto 2006+ data sets.
Although machine learning has been extensively used for
intelligent decision in IDSs, previous works have demonstrated
that the technology itself suffers from diverse security threats,
e.g., attacking against spam filtering [3], malware detection
[4] [5] and anomaly detection systems [6] [7]. Basically,
security threats towards machine learning can be classified
into two categories, i.e., exploratory and causative attacks
[8]. Specifically, the exploratory attack exploits the security
vulnerabilities of learning models to deceive the resulting
classifiers without affecting their training phase. For example,
adversaries generate some customized adversarial samples1
to evade the detection of spam filtering [3] and malware
detection systems [5] [9]. Considering the great influences of
deep neural networks (DNNs) in several application scenarios,
e.g., speech recognition, image recognition, natural language
processing and autonomous driving, some researchers paid
more attention to exploratory attacks against prevailing DNNs
[10] [11]. On the other hand, the causative attack (also
termed as the poisoning attack) shall change training data
sets via injecting adversarial samples, inducing influences on
the training phase of learning models [8]. Typically, such
adversarial samples are designated by adversaries to have
similar features with malicious samples but wrong labels, in-
ducing the change of the training data distribution. Therefore,
adversaries can reduce the performance of classification or
regression models in terms of accuracy. Since the training data
in practical machine learning based systems are protected with
high confidentiality, it is uneasy for adversaries to alter the data
themselves. Alternatively, the adversaries are able to exploit
the vulnerability that stems from retraining existing machine
learning models. Since machine learning based systems in
practical usage, e.g., anomaly detection systems [6] [7], are
generally required to periodically update their decision models
to adapt to varying application contexts, the poisoning attack is
emerging as a main security threat towards these real systems.
Hence, we focus on the latter type of security threats towards
machine learning in this paper.
Existing work regarding poisoning attacks mainly falls into
poisoning SVMs [12], principal component analysis (PCA)
[7] via direct gradient methods. However, these attacking
methods are not effective to poison other learning models.
Recently, a poisoning attack against DNNs was proposed
by adopting the concept of generative adversarial network
(GAN) [13]. Label contamination attack (LCA) is another type
of poisoning attack against black-box learning models [14].
However, LCA made a strong assumption that the adversary
had the ability of changing the labels of training data, which
was difficult in reality. In addition, some researchers proposed
1The terms sample and data point are used interchangeably in this paper
for convenience.
978-1-5386-3180-5/18/$31.00 ©2018 IEEE
another attaching strategy called model inversion by using the
information of system application program interfaces (APIs)
[15] [16].
In this paper, we propose a novel poisoning method using
the Edge Pattern Detection (EPD) algorithm described in [17]
[18]. Specifically, we propose a boundary pattern detection
algorithm to efficiently generate the poisoning data points
that are near to abnormal data but regarded as normal ones
by current classifiers. After that, we present a Batch-EPD
Boundary Pattern (BEBP) detection algorithm to address the
drawback of the limited number of edge pattern points gener-
ated by conventional EPD and to obtain more useful boundary
pattern points. After that, we present a moderate but effective
poisoning method based on BEBP, called chronic poisoning
attack. Compared to previous poisoning methods, a notable
advantage of the proposed poisoning method is that it can
poison different learning models such as SVMs (with linear,
RBF, sigmoid and polynomial kernels), NB and LR. Extensive
experiments on synthetic and three real network data sets,
i.e., KDDCUP99, NSL-KDD and Kyoto 2006+, demonstrate
the effectiveness of the proposed poisoning method against
the above learning models and a practical intrusion detection
method named FMIFS-LSSVM-IDS (see [1]).
The rest of this paper is organized as follows: Section II
presents an adversary model and some assumptions. Then,
Section III gives the details of the proposed poisoning method.
After that, Section IV evaluates the performance of the pro-
posed method via extensive experiments on synthetic and real
network data sets. Finally, Section V concludes this paper.
II. ADVERSARY MODEL AND ASSUMPTIONS
In this section, we present an adversary model and make
some proper assumptions from four aspects: goal, knowledge,
capability and strategy.
(a) The adversarial goal. Generally speaking, the adver-
sarial goal means the intention of launching attacks, e.g.,
breaking integrity, availability and user privacy [8] [19]. In
poisoning attack, integrity violation and availability violation
are two dominating goals of an adversary. To be more detailed,
the adversary hopes to attack against a learning model and
its application performance by poisoning the training phase.
Hence, we assume that the adversarial goal is to reduce the
accuracy and the detection rate of IDSs.
(b) The adversarial knowledge. To achieve the above goal,
an adversary should have some information related to target
IDS systems. Thus, the adversarial knowledge is the priori
information that the adversary can utilize to design attacking
strategies, including learning algorithms, training and testing
data sets, extracted features, etc [8]. Conventional poisoning
methods [6] [7] require full knowledge of target systems,
which is not rational in practical usage. Therefore, we make
an assumption of limited knowledge that the adversary only
know the details of training data.
(c) The adversarial capability. The adversarial capability
of launching poisoning attacks contains two points. One is
whether or not the adversary can change the labels or the
features of training data. The other is how many adversar-
ial samples that the adversary can inject into training data.
Accordingly, we make two more assumptions regarding the
adversarial capability as follows: the adversary can not change
the labels nor modify the features of training data and is able
to inject adversarial samples at each time of updating target
systems (or retraining learning models).
(d) The adversarial strategy. Based on the assumptions
made before, we define the adversarial strategy as
minimize 𝑃(𝑚∣𝜃)(1)
s.t. 𝑁(𝒟𝑎)<𝜂𝑁(𝒟𝑡𝑟 ),(2)
where 𝑁(𝒟𝑡𝑟)denotes the total number of training samples,
𝜂is a constant parameter representing the poisoning degree of
adversarial samples, 𝑚refers to the target learning model that
the adversary aims to compromise, 𝜃means the adversarial
knowledge including training data and the output labels after
feeding inputs, and 𝑁(𝒟𝑎)represents the number of adversar-
ial samples that the adversary can inject. Thus, the adversarial
goal 𝑃is to minimize the performance of the target learning
model 𝑚under limited knowledge 𝜃and capability 𝑁(𝒟𝑎).
III. DETAILS OF THE PROPOSED BATCH POISONING
METHOD
A. Formulation of Adversarial Sample Generation
According to the adversary model, an adversary has no
knowledge about learning models in machine learning-based
IDSs. Hence, the proposed poisoning method can be regarded
as a kind of black-box attacks. Since the information about
learning models is unknown, the adversary alternatively prefer-
s to inject adversarial samples such that target models can not
well fit for the real distribution of training data. Such process
is termed as data drifting in this paper.
To maximize the effects of data drifting in training data,
the best strategy is to generate adversarial samples that are
close to the discriminant plane defined by a pretrained decision
function 𝑓(x). Hence, the black-box poisoning problem can
be formally defined by generating a set of adversarial samples
𝒟𝑎satisfying
𝒟𝑎={x𝑎∣𝑑(x𝑎,x𝑏)<𝜀,𝑓(x𝑏)=0},(3)
where 𝑑(x1,x2)is the Euclidean distance between two vec-
tors, and 𝜀denotes the chosen threshold between an adversarial
sample x𝑎∈𝒟
𝑎and the discriminant plane.
B. Boundary Pattern Detection
As per the formulation of adversarial sample generation,
we define boundary pattern as the data points that are near
to abnormal data but considered as normal ones by classi-
fiers. Thus, the goal of the proposed poisoning method is to
generate the boundary pattern, which is then used to shift
discriminant plane towards the central of abnormal data during
model retraining. Accordingly, we propose a boundary pattern
detection (BPD) algorithm using the edge pattern detection
(EPD) algorithm [17] [18] to effectively generate the boundary
pattern samples. There are two main steps in BPD as follows:
(a) Detecting the edge pattern points of normal data that
are regarded as normal behaviors by IDSs. Given 𝒟𝑛𝑑,itis
easy to find out the edge pattern points 𝒟𝑒𝑝 (𝒟𝑒𝑝 ⊂𝒟
𝑛𝑑)by
applying the EPD algorithm [17]. Moreover, we calculate the
normal vector with respect to each edge point to obtain the
direction of departing from 𝒟𝑛𝑑 with the fastest speed [18].
Let 𝒩denote the set of all normal vectors with respect to
𝒟𝑒𝑝.
(b) Generating the boundary pattern by shifting the edge
pattern points outwards. Although these edge pattern points
locate at the exterior surface of 𝒟𝑛𝑑, they may be far from
the discriminant plane 𝑓(x). Hence, we perform the following
two operations based on 𝒟𝑒𝑝 and 𝒩: Firstly, selecting an edge
pattern point x𝑒𝑝 ∈𝒟
𝑒𝑝 and corresponding normal vector
n𝑒𝑝 ∈𝒩. Then, shifting x𝑒𝑝 outwards along the direction of
n𝑒𝑝 until the generated data points are near to the discriminant
plane of classifiers. The data shifting is formally defined by
x𝑖
𝑎=x𝑖−1
𝑎+𝑘𝑖−1⋅𝜆𝑖−1⋅n𝑒𝑝,(4)
where
{𝑘𝑖=1,𝜆
𝑖=𝜆𝑖−1,if 𝑓(x𝑖−1
𝑎)is normal
𝑘𝑖=−1,𝜆
𝑖=𝜆𝑖−1/3,otherwise (5)
The pseudo code of the BPD algorithm is shown in Fig.
1, where 𝑚is the maximal number of iterations, 𝜆means
the initial shifting step size, x𝑒𝑝 and n𝑒𝑝 represent the se-
lected edge pattern point and corresponding normal vector,
respectively. In particular, we first shift x𝑒𝑝 outwards along the
direction of its normal vector n𝑒𝑝 according to equations (4)
and (5), where x𝑖
𝑎and 𝜆𝑖determine the generated adversarial
sample and the shifting step size in the 𝑖th iteration. Note that
x0
𝑎=x𝑒𝑝. Furthermore, the output of a target learning model
𝑀(𝑓𝑀(x)) with respect to an input sample xfalls into {𝑁,𝐴}
representing Normal and Abnormal, respectively. Finally, we
select valid adversarial samples (i.e. boundary pattern points)
according to the equation (3). For simplicity, 𝜀is set to 𝜆.
1. Input: An edge pattern point x𝑒𝑝 and corresponding
normal vector n𝑒𝑝, target learning model 𝑀,𝑚,𝜆
2. Output: A boundary pattern 𝒟𝑏𝑝 generated from x𝑒𝑝
3. Initialize 𝜆0=𝜆,x0
𝑎=x𝑒𝑝,𝒟𝑏𝑝 =∅;
4. for 𝑖=0,⋅⋅⋅ ,𝑚−1do
5. if 𝑓𝑀(x𝑖
𝑎)==𝑁then
6. if (∃x𝑏,𝑓
𝑀(x𝑏)=0and 𝑑(x𝑖
𝑎,x𝑏)<𝜀)then
7. 𝒟𝑏𝑝 =𝒟𝑏𝑝 ∪{x𝑖
𝑎};
8. end if
9. x𝑖+1
𝑎=x𝑖
𝑎+𝜆𝑖⋅n𝑒𝑝;𝜆𝑖+1 =𝜆𝑖;
10. else
11. x𝑖+1
𝑎=x𝑖
𝑎−𝜆𝑖⋅n𝑒𝑝;𝜆𝑖+1 =𝜆𝑖/3;
12. end if
13. end for
Fig. 1. Pseudo code of the boundary pattern detection algorithm
1. Input: A training data set 𝒟𝑡𝑟, target learning model 𝑀,
maximal number of iterations 𝑚, shifting step size 𝜆,
batch size 𝐿;
2. Output: Generated adversarial samples 𝒟𝑎;
3. Select the training data 𝒟(𝑁)
𝑡𝑟 with normal labels from 𝒟𝑡𝑟 ;
4. Initialize 𝒟𝑎=∅,𝑘=𝑠𝑖𝑧𝑒(𝒟(𝑁)
𝑡𝑟 )/𝐿;
5. for 𝑖=1,⋅⋅⋅ ,𝑘 do
6. Randomly select 𝐿samples from 𝒟(𝑁)
𝑡𝑟 , which is de-
noted by 𝒟(𝑁)
𝑖;
7. Calculate 𝒟𝑒𝑝 and corresponding 𝒩regarding 𝒟(𝑁)
𝑖
using EPD;
8. for x𝑒𝑝 ∈𝒟
𝑒𝑝 do
9. Calculate 𝒟𝑏𝑝 using BPD with inputs of x𝑒𝑝,n𝑒𝑝 ,
𝑚,𝑀and 𝜆;
10. 𝒟𝑎=𝒟𝑎∪𝒟𝑏𝑝;
11. end for
12. end for
Fig. 2. Pseudo code of the Batch-EPD boundary pattern detection algorithm
C. Batch-EPD Boundary Pattern Detection
Although the aforementioned BPD algorithm can effectively
generate the boundary pattern, it is constrained by the limited
number of edge pattern points, especially for those data sets
with sparse edge points. Hence, we further introduce a Batch-
EPD method, which is able to directly obtain more valid ad-
versarial samples near to the discriminant boundary of learning
models. The main idea of Batch-EPD is as follows: At the first
stage, we randomly select 𝑘subsets 𝒟(𝑁)
1,𝒟(𝑁)
2,⋅⋅⋅ ,𝒟(𝑁)
𝑘
from the training data 𝒟(𝑁)
𝑡𝑟 with Normal labels. Then, we
utilize the conventional EPD algorithm to calculate edge
pattern points and corresponding normal vectors with respect
to each subset 𝒟(𝑁)
𝑖(𝑖=1,2,⋅⋅⋅ ,𝑘). Note that some edge
pattern points generated by Batch-EPD may locate at inner
data points of 𝒟(𝑁)
𝑡𝑟 . However, the proposed BPD algorithm
can still shift these inner points to the discriminant boundary.
Fig. 2 shows the pseudo code of the proposed Batch-EPD
boundary pattern (BEBP) detection algorithm.
To demonstrate the improvement of BEBP comparing to
BPD, Fig. 3 illustrates comparative results on a synthetic data
set, where blue (red) stars are normal (abnormal) samples, blue
and red solid circles refer to edge pattern points and generated
adversarial samples, respectively.
D. Chronic Poisoning Attack Using BEBP
Based on the aforementioned BEBP algorithm, we now
present a moderate but effective poisoning method against
learning models, called chronic poisoning attack. Similar to
the boil frog poisoning attack proposed in [7], the proposed
chronic poisoning attack using BEBP is also a long-term
poisoning method, which changes the distribution of training
data in each time of updating learning models. By gradually
injecting adversarial samples, which are classified as normal
samples and locate near to the discriminant boundary defined
by a pretrained model, the boundary of the updated model
Fig. 3. Comparative results on a synthetic data set between BPD and BEBP
after retraining over the corrupted training data will move
towards the centre of abnormal data points. As a result, the
performance of IDSs detecting abnormal samples significantly
decreases after several rounds of poisoning. Fig. 4 shows the
pseudo code of the chronic poisoning attack using BEBP,
where 𝒟(𝑖)
𝑡𝑟 and 𝑀𝑖refer to the training data and the pretrained
model at the 𝑖th round of poisoning, respectively.
1. Input: An initial training data set 𝒟(0)
𝑡𝑟 , an initial learning
model 𝑀0, number of poisoning rounds 𝑟
2. for 𝑖=0,⋅⋅⋅ ,𝑟−1do
3. Generate adversarial samples 𝒟𝑎using the BEBP algo-
rithm with inputs 𝒟(𝑖)
𝑡𝑟 and 𝑀𝑖;
4. 𝒟(𝑖+1)
𝑡𝑟 =𝒟(𝑖)
𝑡𝑟 ∪𝒟𝑎;
5. Retrain a new model 𝑀𝑖+1 based on 𝒟(𝑖+1)
𝑡𝑟 ;
6. end for
Fig. 4. Pseudo code of the chronic poisoning attack using BEBP
IV. PERFORMANCE EVA L UAT I O N A N D ANALYSI S
In this section, we evaluate the performance of the proposed
algorithms by extensive experiments described as follows:
Firstly, we examine the attacking effects of the proposed
poisoning method against different learning models on syn-
thetic data sets. Then, we evaluate the performance of the
proposed method on three real data sets to further demonstrate
its strong capability of reducing the detecting performance
of multiple learning models. After that, we select a state-of-
the-art IDS system, called FMIFS-LSSVM-IDS [1], as the
poisoning target and give comparative results between the
proposed method and two other baseline methods.
A. Experimental Setup
1) Data Sets: To demonstrate the performance of the pro-
posed poisoning method without loss of generality, we adopted
the synthetic moon data set that was used in sklearn2, where
100 synthetic samples were randomly generated with a noise
of 0.2. Regarding the real data sets, we chose three public
data sets, i.e., KDDCUP99, NSL-KDD and Kyoto 2006+.
2http://scikit-learn.org
KDDCUP99 is a well-known benchmark data set for evaluat-
ing the performance of IDSs, which contains five categories
of samples (one normal and four abnormal). Moreover, each
sample has 41 features. NSL-KDD is a revised version of
KDDCUP99, and it has the same numbers of categories and
features. Apart from these two widely used data sets, Kyoto
2006+ proposed in [20] is another recognized data set for
performance evaluation. The data set has been collected from
honeypots and regular servers that are deployed at the Kyoto
University since 2006. Moreover, Kyoto 2006+ contains three
types of samples, i.e., normal, known attack and unknown one,
and each sample has 24 features.
Considering that the goal of poisoning attacks is to reduce
the performance of IDSs detecting abnormal behaviors, we
treat all samples with abnormal labels in each data set as
a whole regardless of their specific types of attacks. Simi-
lar to FMIFS-LSSVM-IDS, we preprocess and perform data
normalization with respect to all samples such that each
feature value is normalized into a range of [0,1]. To evaluate
the effectiveness of the proposed poisoning method, we will
use two types of data for performance evaluation, a.k.a. (a)
evaluating data that are randomly selected from training data,
and (b) official testing data from public data sets.
2) Performance Metrics: Regarding an IDS system, accu-
racy and detecting rate are two primary performance metrics.
Hence, we also adopt these two metrics in this paper to
evaluate the performance reduction of machine learning-based
IDSs under the proposed poisoning attack. The accuracy
(𝐴𝐶𝐶 ) and the detecting rate (𝐷𝑅) with respect to abnormal
samples are defined by
𝐴𝐶𝐶 =𝑇𝑃 +𝑇𝑁
𝑇𝑃 +𝑇𝑁 +𝐹𝑁 +𝐹𝑃 (6)
𝐷𝑅 =𝑇𝑃
𝑇𝑃 +𝐹𝑁,(7)
where true positive (𝑇𝑃) is the number of truly abnormal
samples that are classified as abnormal ones by IDSs, true
negative (𝑇𝑁) means the number of truly normal samples
that are treated as normal ones, false positive (𝐹𝑃) refers to
the number of truly normal samples classified as abnormal
ones, and false negative (𝐹𝑁) represents the number of truly
abnormal samples classified as normal ones.
B. Performance of the Proposed Poisoning Method over Syn-
thetic Data Sets
To demonstrate the attacking effects of chronic poisoning,
we first evaluated the performance of the proposed poisoning
method against six different learning models on synthetic
data sets. The evaluated models included NB-Gaussian, LR,
SVM with a sigmoid kernel (SVM-sigmoid), SVM with a
polynomial kernel (SVM-POLY), SVM with a radial basis
function kernel (SVM-RBF) and SVM with a linear kernel
(SVM-linear). To focus on poisoning itself, we simply used
the default values of model parameters as specified in the
sklearn tool. Fig. 5 illustrates the comparative results of five-
round poisoning against different learning models, where the
Fig. 5. Comparative results of five-round poisoning against different learning models on synthetic data sets
TAB LE I
SUMMARY OF SAMPLE DISTRIBUTIONS OF THE RANDOMLY SELECTED DATA REGARDING THE KDDCUP99 AND NSL-KDD DATA SETS
Data Set NORMAL PROB DOS U2R R2L
KDDCUP99 Training data 2000 300 3790 32 350
Evaluating data 2000 500 3900 20 400
NSL-KDD Training data 2000 300 3790 32 350
Evaluating data 2000 500 3900 20 400
blue and white points represent the training data with normal
and abnormal labels, respectively. In Fig. 5, the read points
mean the adversarial samples generated by BEBP, and the
discriminant boundary between normal and abnormal samples
is shown as the line of separating blue and red regions.
Moreover, we would like to highlight that read points in the
figures of SVM-sigmoid at the 5th round and SVM-POLY at
the 3nd-5th rounds denote the truly abnormal data. From Fig.
5, we can see that no matter what the learning model is, the
discriminant boundary gradually moves towards the centre of
abnormal data. Accordingly, we clearly figure out that more
abnormal points are wrongly classified as normal ones along
with an increase of poisoning round.
C. Performance of the Proposed Poisoning Method over real
Data Sets
According to the sample selection method in [2], we
adopted 6472 samples as training data and 6820 samples
as evaluating data that were randomly selected from the
“kddcup.data 10 percent corrected” (“KDD Train+”) of the
KDDCUP99 (NSL-KDD) data set. Table I summarizes the
sample distributions of the selected data regarding the KDD-
CUP99 and NSL-KDD data sets. Similar to [1], we randomly
selected 13292 samples from the traffic data collected during
27-31, August 2009 regarding the Kyoto 2006+ data set.
As we mentioned before, the parameter 𝜂controls the
poisoning ratio of adversarial samples to normal training data.
Hence, it is meaningful to examine the change of poisoning
Fig. 6. Comparative results on NSL-KDD evaluating data with respect to
different values of poisoning ratio
results with different values of 𝜂. For simplicity without loss
of generality, we took NSL-KDD as the evaluating data set and
carried out a group of experiments with different settings of
𝜂. The comparative results on NSL-KDD evaluating data with
respect to different values of poisoning ratio are illustrated in
Fig. 6. We can see from Fig. 6 that the DR of different learning
models tends to decrease with an increase of 𝜂.
To further demonstrate the effectiveness of the proposed
poisoning method against different learning models, we carried
out more experiments on KDDCUP99, NSL-KDD and Kyoto
2006+ data sets. Specifically, we selected the total poisoning
round as 15 in each comparative experiment, and we inde-
pendently reran poisoning attacks 10 times to minimize the
TAB LE II
COMPARATIVE RESULTS OF 𝐴𝐶 𝐶 ON KDDCUP99 UNDER THE PROPOSED POISONING ATTACK
(Evaluating results;Testing results) NB LR SVM-sigmoid SVM-POLY SVM-RBF SVM-linear
Round 0 (0.9256;0.8757) (0.9794;0.9168) (0.9644;0.9215) (0.9285;0.919) (0.981;0.9216) (0.9809;0.9289)
Round 5 (0.6102;0.4478) (0.9311;0.8667) (0.8825;0.8948) (0.8517;0.6898) (0.9091;0.8542) (0.9304;0.8177)
Round 10 (0.429;0.3088) (0.8745;0.8474) (0.8071;0.6984) (0.7861;0.6706) (0.8762;0.8013) (0.8776;0.7881)
Round 15 (0.3677;0.247) (0.8118;0.7089) (0.7013;0.6398) (0.3986;0.2989) (0.7461;0.6303) (0.7278;0.6679)
TABLE III
COMPARATIVE RESULTS OF 𝐴𝐶 𝐶 ON NSL-KDD UNDER THE PROPOSED POISONING ATTACK
(Evaluating results;Testing results) NB LR SVM-sigmoid SVM-POLY SVM-RBF SVM-linear
Round 0 (0.8895;0.7711) (0.8536;0.7733) (0.9508;0.781) (0.892;0.7799) (0.9576;0.7724) (0.9578;0.7615)
Round 5 (0.7726;0.6471) (0.8822;0.7049) (0.809;0.6429) (0.8233;0.6753) (0.8337;0.6897) (0.8756;0.6875)
Round 10 (0.6694;0.5403) (0.8051;0.646) (0.7682;0.6034) (0.7227;0.5162) (0.7904;0.6552) (0.7829;0.6222)
Round 15 (0.6158;0.5164) (0.7324;0.5563) (0.5207;0.4683) (0.3904;0.4445) (0.6057;0.5155) (0.6875;0.5125)
TAB LE IV
COMPARATIVE RESULTS OF 𝐴𝐶 𝐶 ON KYOTO 2006+ UNDER THE PROPOSED POISONING ATTACK
Evaluating data NB LR SVM-sigmoid SVM-POLY SVM-RBF SVM-linear
Round 0 0.9541 0.9834 0.9734 0.9315 0.9821 0.989
Round 5 0.6475 0.9339 0.8984 0.869 0.9074 0.93
Round 10 0.6181 0.8095 0.5457 0.4131 0.6142 0.763
Round 15 0.5701 0.5422 0.4794 0.4131 0.5362 0.5376
fluctuation of experimental results brought by random data
sampling. Moreover, the poisoning ratio 𝜂was set to 0.07 in
all experiments. The comparative results of 𝐴𝐶𝐶 and 𝐷𝑅
under the proposed poisoning attack are given in Tables II–
IV and Fig. 7, respectively. The comparative results on three
benchmark data sets demonstrate that both 𝐴𝐶𝐶 and 𝐷𝑅 of
classifiers detecting abnormal behaviors significantly decrease
when the proposed chronic poisoning attack occurs for a long
time. Furthermore, the similar changes with respect to different
learning models validate that the proposed poisoning method
is scalable for attacking black-box detecting models.
D. Comparative Results of Poisoning FMIFS-LSSVM-IDS
In this part, we further demonstrate the performance of
the proposed poisoning method against a state-of-the-art IDS
based on machine learning named FMIFS-LSSVM-IDS. Here,
we select two more poisoning methods as the comparative
baselines, i.e., BASIC and RANDOM [14]. In the BASIC
method, if 𝑁adversarial samples are added into training
data, then 𝑁normal samples selected from normal training
data randomly will also be added. In the RANDOM method,
on the other hand, we generate a number of samples with
random features. After that, those samples that are classified
as the normal ones by FMIFS-LSSVM-IDS are chosen as
valid adversarial samples. Finally, some normal samples are
randomly selected from normal training data as new added
samples as well. Fig. 8 illustrates the comparative results
among different poisoning methods.
We can see from Fig. 8 that the proposed poisoning method
is more effective to reduce the 𝐷𝑅 of FMIFS-LSSVM-IDS
compared with BASIC and RANDOM on all three data
sets. These results further demonstrate the advantages of the
proposed method to attack against state-of-the-art IDSs.
V. C ONCLUSION AND FUTURE WORK
In this paper, we have proposed a novel poisoning method
by using the EPD algorithm. Specifically, we first propose
the BPD algorithm to generate adversarial samples that locate
near to the discriminant boundary defined by classifiers but
are still classified to be normal ones. To address the drawback
of limited adversarial samples generated by BPD, we further
present the BEBP algorithm to obtain more useful adversarial
samples. After that, we introduce a chronic poisoning attack
based on BEBP. Extensive experiments on synthetic and
real data sets demonstrate the effectiveness of the proposed
poisoning method against different learning models and state-
of-the-art IDSs, e.g., FMIFS-LSSVM-IDS.
In future, it is worthwhile to do more in-depth studies on
the scalability of the proposed poisoning method. Moreover,
research on defending against the poisoning method will be
an interesting work as well.
REFERENCES
[1] M. A. Ambusaidi, X. He, P. Nanda, and Z. Tan, “Building an intrusion
detection system using a filter-based feature selection algorithm,” IEEE
Trans. Comput., vol. 65, no. 10, pp. 2986–2998, 2016.
[2] K. Kishimoto, H. Yamaki, and H. Takakura, “Improving performance
of anomaly-based ids by combining multiple classifiers,” in Proc. of the
SAINT’11, 2011, pp. 366–371.
[3] B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein,
U. Saini, C. Sutton, J. D. Tygar, and K. Xia, Misleading Learners:
Co-opting Your Spam Filter, ser. Machine Learning in Cyber Trust.
Springer, Boston, MA, 2009.
Fig. 7. Comparative results of 𝐷𝑅 under the proposed poisoning attack
Fig. 8. Comparative results among different poisoning methods against FMIFS-LSSVM-IDS
[4] B. Biggio, K. Rieck, D. Ariu, C. Wressnegger, I. Corona, G. Giacinto,
and F. Roli, “Poisoning behavioral malware clustering,” in Proc. of the
AISec’14. New York, NY, USA: ACM, 2014, pp. 27–36.
[5] W. Hu and Y. Tan, “Generating adversarial malware examples for
black-box attacks based on gan,” arXiv.org, 2017. [Online]. Available:
https://arxiv.org/abs/1702.05983
[6] M. Kloft and P. Laskov, “Online anomaly detection under adversarial
impact,” in Proc. of the AISTATS’10, 2010, pp. 405–412.
[7] B. I. Rubinstein, B. Nelson, L. Huang, A. D. Joseph, S.-h. Lau, S. Rao,
N. Taft, and J. D. Tygar, “Antidote: Understanding and defending against
poisoning of anomaly detectors,” in Proc. of the IMC’09.NewYork,
NY, USA: ACM, 2009, pp. 1–14.
[8] M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar, “Can
machine learning be secure?” in Proc. of the ASIACCS’06.NewYork,
NY, USA: ACM, 2006, pp. 16–25.
[9] W. Xu, Y. Qi, and D. Evans, “Automatically evading classifiers: A case
study on pdf malware classifiers,” in Proc. of the NDSS’16, 2016, pp.
1–15.
[10] N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and
A. Swami, “Practical black-box attacks against machine learning,” in
Proc. of the ASIACCS’17. New York, NY, USA: ACM, 2017, pp.
506–519.
[11] S. M. Moosavidezfooli, A. Fawzi, and P. Frossard, “Deepfool: A simple
and accurate method to fool deep neural networks,” in Proc. of the
CVPR’16, 2016, pp. 2574–2582.
[12] B. Biggio, B. Nelson, and P. Laskov, “Poisoning attacks against support
vector machines,” in Proc. of the ICML’12, 2012, pp. 1467–1474.
[13] C. Yang, Q. Wu, H. Li, and Y. Chen, “Generative poisoning attack
method against neural networks,” arXiv.org, 2017. [Online]. Available:
https://arxiv.org/abs/1703.01340
[14] M. Zhao, B. An, W. Gao, and T. Zhang, “Efficient label contamination
attacks against black-box learning models,” in Proc. of the IJCAI’17,
2017, pp. 3945–3951.
[15] I. Rosenberg, A. Shabtai, L. Rokach, and Y. Elovici, “Generic
black-box end-to-end attack against rnns and other api calls
based malware classifiers,” arXiv.org, 2017. [Online]. Available:
https://arxiv.org/abs/1707.05970
[16] F. Tram`
er, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Stealing
machine learning models via prediction apis,” arXiv.org, 2016.
[17] Y. Li and L. Maguire, “Selecting critical patterns based on local geo-
metrical and statistical information,” IEEE Trans. Pattern Anal. Mach.
Intell., vol. 33, no. 6, pp. 1189–1201, 2011.
[18] S. Wang, Q. Liu, E. Zhu, J. Yin, and W. Zhao, “Mst-gen: An efficient
parameter selection method for one-class extreme learning machine,”
IEEE Trans. Cybern., vol. 47, no. 10, pp. 3266–3279, 2017.
[19] B. Biggio, G. Fumera, and F. Roli, “Security evaluation of pattern
classifiers under attack,” IEEE Trans. Knowl. Data Eng., vol. 26, no. 4,
pp. 984–996, 2017.
[20] J. Song, H. Takakura, Y. Okabe, M. Eto, D. Inoue, and K. Nakao,
“Statistical analysis of honeypot data and building of kyoto 2006+
dataset for nids evaluation,” in Proc. of the BADGERS’11.NewYork,
NY, USA: ACM, 2011, pp. 29–36.
